CN102185858A - Web intrusion prevention method and system based on application layer - Google Patents
Web intrusion prevention method and system based on application layerDownload PDFInfo
- Publication number
- CN102185858A CN102185858ACN2011101171916ACN201110117191ACN102185858ACN 102185858 ACN102185858 ACN 102185858ACN 2011101171916 ACN2011101171916 ACN 2011101171916ACN 201110117191 ACN201110117191 ACN 201110117191ACN 102185858 ACN102185858 ACN 102185858A
- Authority
- CN
- China
- Prior art keywords
- visitor
- behavior
- threat value
- visit behavior
- visit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034methodMethods0.000titleclaimsabstractdescription28
- 230000002265preventionEffects0.000titleclaimsabstractdescription22
- 231100001261hazardousToxicity0.000claimsdescription77
- 238000009825accumulationMethods0.000claimsdescription42
- 235000012907honeyNutrition0.000claimsdescription24
- 230000007123defenseEffects0.000claimsdescription6
- 230000006399behaviorEffects0.000abstractdescription131
- 238000005516engineering processMethods0.000abstractdescription13
- 238000001514detection methodMethods0.000description10
- 238000007619statistical methodMethods0.000description4
- 238000012545processingMethods0.000description3
- 238000004088simulationMethods0.000description3
- 239000012467final productSubstances0.000description2
- 230000006870functionEffects0.000description2
- 238000002347injectionMethods0.000description2
- 239000007924injectionSubstances0.000description2
- 238000012986modificationMethods0.000description2
- 230000004048modificationEffects0.000description2
- 238000004458analytical methodMethods0.000description1
- 230000008859changeEffects0.000description1
- 238000004891communicationMethods0.000description1
- 238000011161developmentMethods0.000description1
- 238000005242forgingMethods0.000description1
- 230000006855networkingEffects0.000description1
- 230000008569processEffects0.000description1
- 230000009467reductionEffects0.000description1
- 238000012360testing methodMethods0.000description1
Images
Landscapes
- Storage Device Security (AREA)
- Alarm Systems (AREA)
Abstract
Description
Technical field
The present invention relates to the firewall technology field, particularly relate to a kind of web intrusion prevention method and system that are applied to application layer.
Background technology
Along with the development of computer networking technology, attack is also more and more.Therefore, how better to stop network intrusions to become the important difficult problem of pendulum in face of the technical staff.
In the web application layer, what traditional web fire compartment wall adopted is the keyword detection technique, promptly discerns attack by the dangerous keyword in the identification HTTP request.But there is following problem in this technology:
1, rate of false alarm is higher
For more recognition network attack, the keyword detection technique need increase a large amount of dangerous keyword strategies, in case detect when including these dangerous keywords in some network behavior, then is identified as hazardous act.Because the identification in strict accordance with dangerous keyword detects attack, so when the behavior in certain user belonged to normal visit behavior but comprises dangerous keyword, the keyword detection technique still can be hazardous act with its wrong report.
2, rate of failing to report is higher
Because the identification according to dangerous keyword detects attack, when encode to keyword or be out of shape in network attack side, adopt the fire compartment wall of keyword detection technique can't detect the later hazardous act of change keyword, thereby occur failing to report.
In a word, use the fire compartment wall of keyword detection technique can't well detect attack in the existing web application layer.
Summary of the invention
For solving the problems of the technologies described above, the embodiment of the invention provides a kind of web intrusion prevention method and system that are applied to application layer, and to solve the problem that existing fire compartment wall can't fine detection attack, technical scheme is as follows:
A kind of web intrusion prevention method that is applied to application layer comprises:
Obtain visitor's visit behavior;
According to default hazardous act standard, judge whether described visit behavior is hazardous act, if, obtain the threat value of described visit behavior according to the corresponding relation of hazardous act that sets in advance and threat value, described threat value is added in visitor's the accumulation threat value to upgrade described accumulation threat value;
Accumulation threat value according to the visitor is defendd accordingly to visitor's visit behavior.
Preferably, this method also comprises: use honey jar technical modelling application layer system vulnerability in advance.
Preferably, when the visit behavior of visitor in the Preset Time section all was not hazardous act, described visitor's accumulation threat value reduced.
Preferably, described accumulation threat value according to the visitor is defendd accordingly to visitor's visit behavior, comprising:
Accumulation threat value according to the visitor is divided into four danger classes with the visitor, comprises domestic consumer, suspicion user, general assailant and dangerous assailant;
Danger classes according to the visitor is defendd accordingly to visitor's visit behavior.
Preferably, be under dangerous assailant's the situation in visitor's danger classes, described visit behavior to the visitor is defendd to comprise accordingly: stop this visitor's visit behavior and will return to this visitor through the blocking-up page that pretends.
Preferably, described default hazardous act standard is that system's basis is normally visited behavior to history and/or dangerous visit behavior learns to obtain.
Preferably, described default hazardous act standard comprises:
It is the security sensitive address that the means that the access parameter of Accessor Access's behavior satisfies that default hazardous act access parameter requires, carry dangerous keyword in Accessor Access's behavior, Accessor Access's behavior is taked have the destination address that danger and/or Accessor Access's behavior visited.
Preferably, described access parameter comprises: the time interval of the submission type of the parameter that type, the visit behavior of the parameter that the length of the parameter that the visit behavior is entrained, visit behavior are entrained is entrained and visit behavior browsing pages.
Correspond to a kind of web intrusion prevention method that is applied to application layer of front, the present invention also provides a kind of web intrusion prevention system that is applied to application layer, comprising: visit behavior acquisition module, threat value generation module and defense module,
Described visit behavior acquisition module, the visit behavior that is used to obtain the visitor;
Described threat value generation module, be used for according to default hazardous act standard, judge whether described visit behavior is hazardous act, if, obtain the threat value of described visit behavior according to the corresponding relation of hazardous act that sets in advance and threat value, described threat value is added in visitor's the accumulation threat value to upgrade described accumulation threat value;
Described defense module is used for according to visitor's accumulation threat value visitor's visit behavior being defendd accordingly.
Preferably, this system also comprises: the honey jar module is used for using in advance honey jar technical modelling application layer system vulnerability.
By using above technical scheme, the present invention can give the threat value for the visitor and the threat value of hazardous act is superposeed according to the hazardous act in Accessor Access's behavior, generate accumulation threat value, thereby can defend accordingly to handle to it according to a plurality of visit behaviors of user, solved adopt the keyword detection technique brought can't fine detection attack problem.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, the accompanying drawing that describes below only is some embodiment that put down in writing among the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
A kind of schematic flow sheet that is applied to the web intrusion prevention method in the application layer that Fig. 1 provides for the embodiment of the invention;
The another kind that Fig. 2 provides for the embodiment of the invention is applied to the schematic flow sheet of the web intrusion prevention method in the application layer;
A kind of structural representation that is applied to the web intrusion prevention system in the application layer that Fig. 3 provides for the embodiment of the invention;
The another kind that Fig. 4 provides for the embodiment of the invention is applied to the structural representation of the web intrusion prevention system in the application layer.
Embodiment
In order to make those skilled in the art person understand technical scheme among the present invention better, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills should belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
As shown in Figure 1, a kind of web intrusion prevention method that is applied in the application layer that the embodiment of the invention provides comprises:
S101, the visit behavior of obtaining the visitor;
S102, the default hazardous act standard of basis, judge whether described visit behavior is hazardous act, if, obtain the threat value of described visit behavior according to the corresponding relation of hazardous act that sets in advance and threat value, described threat value is added in visitor's the accumulation threat value to upgrade described accumulation threat value;
Wherein, Yu She hazardous act standard can behavior and dangerous visit behavior learn to obtain according to history is normally visited for system.Concrete, system can carry out analytic statistics according to a large amount of historical normal visit behavior and/or dangerous visit behavior, thereby determines the hazardous act standard.
Default hazardous act standard can comprise: it is the security sensitive address that the means that the access parameter of Accessor Access's behavior satisfies that default hazardous act access parameter requires, carry dangerous keyword in Accessor Access's behavior, Accessor Access's behavior is taked have the destination address that danger and/or Accessor Access's behavior visited.Wherein, the access parameter of Accessor Access's behavior can comprise: the time interval of the submission type of the parameter that type, the visit behavior of the parameter that the length of the parameter that the visit behavior is entrained, visit behavior are entrained is entrained and visit behavior browsing pages.
Be that example describes normally to visit the acquistion of behavior middle school from a large amount of history to the requirement of hazardous act access parameter below:
1, learn the length of the entrained parameter of visit behavior:
For parameter N ame, draw by statistical analysis is carried out in the normal visit behavior of carrying this parameter in a large number: the mean value of this parameter is 6, variance is 2, then can obtain under the normally visit behavior by study, the scope of this parameter is: 4-8 (mean value deducts the minimum value that variance is the parameter value scope, adds the maximum that variance is the parameter value scope).The length of then determining Name parameter in the hazardous act standard is: less than 4 or greater than 8.Certainly, at the characteristics of different parameters, its statistical and analytical method is not quite similar, and the present invention repeats no more.
2, learn the type of the entrained parameter of visit behavior:
For parameter I D, draw by statistical analysis is carried out in the normal visit behavior of carrying this parameter in a large number: the type of parameter I D is the cardinar number font.Determine that then the type of parameter I D is non-cardinar number font in the hazardous act standard.
3, learn the submission type of the entrained parameter of visit behavior:
For parameter Password, draw by statistical analysis is carried out in the normal visit behavior of carrying this parameter in a large number: the submission type of parameter Password is POST.Determine that then the submission type of parameter p assword is non-POST in the hazardous act standard.
4, the time interval of study visit behavior browsing pages:
Concrete mode of learning can have multiple, as in normal visit behavior sample, randomly drawing the visit behavior of some, and the mean value and the variance of adding up their browsing pages time intervals, this mean value is deducted variance as the minimum value in the normal visit behavior browsing pages time interval, this mean value is added upside deviation as the normal maximum in the visit behavior browsing pages time interval.Understand easily, also just drawn the standard in the browsing pages time interval in the hazardous act standard.Certainly, concrete mode of learning also can be other modes, and the present invention does at this and do not limit.
What need explanation a bit is that above learning behavior all is the study of carrying out at HTTP/HTTPS agreement among the web.
The means that Accessor Access's behavior the is taked situation that to have destination address dangerous and that Accessor Access's behavior is visited be the security sensitive address describes (situation that carries dangerous keyword in Accessor Access's behavior is a prior art, no longer explanation) below.
Inveigle through the honey jar technology, if visitor's visit behavior comprises: database is downloaded, pseudo-backstage universal password lands and attempts and/or pseudo-backstage weak passwurd lands trial, and then the means taked of three kinds of visit behaviors have danger.Those skilled in the art are understood that easily, catalogue/data/ page is the catalogue of easy victim visit and attack, 04 page is that the assailant often occurs in Sniffing Attack, and they all are the security sensitive address, and the visit behavior of the responsive address of access security has menace.
In actual applications, can be its corresponding threat value according to the degree of danger of different hazardous acts.An open below wherein a kind of part of corresponding relation, as shown in table 1:
| Hazardous act | The threat value |
| SQL injection _ blind notes _ 018 | 6 |
| SQL injects _ unites injection _ 019 | 12 |
| Parameter length surpasses threshold value | 3 |
| Parameter type does not meet threshold value | 3 |
| Detect moral web crawlers visit according to UA | 3 |
| Access time is too short at interval | 1.6 |
| Visit responsive catalogue/data/ | 2 |
| Honey jar inveigles database to download | 20 |
| Honey jar inveigles pseudo-backstage universal password to land trial | 3 |
| Honey jar inveigles pseudo-backstage weak passwurd to land trial | 6 |
| Visit 404 pages | 0.5 |
| Visit responsive catalogue | 4 |
| ... | ... |
Table 1
Need to prove that the pairing threat value of above hazardous act can be upgraded.For example: for the visit behavior of the unknown, in the correspondence table of original hazardous act and threat value, the unknown pairing threat value of visit behavior is 2, visit behavior through learning this unknown after a while is (and not having this hazardous act) when certain hazardous act in the table, then give certain threat value for this hazardous act and upgrade former hazardous act and the threat value between correspondence table.
When obtaining first visit behavior of visitor, at first give the initial value (as 0) of an accumulation threat value for this visitor, judge then whether this first visit behavior is hazardous act, if then the threat value of this hazardous act correspondence is added in the accumulation threat value according to the corresponding relation of hazardous act and threat value.If visitor's visit behavior takes place successively, then can upgrade visitor's accumulation threat value according to visitor's visit behavior.
In other embodiments of the invention, when the visit behavior of visitor in the Preset Time section all was not hazardous act, this visitor's accumulation threat value can reduce.Be understood that easily, also may produce hazardous act when visitor's misoperation or hazardous act identification error, if and hazardous act repeatedly takes place, this user then is considered to have the visitor of higher threat degree, and system may stop this visitor's visit behavior.So, in the other embodiments of the invention, the behavior if the visitor does not cause danger in the certain hour section, this visitor's accumulation threat value can reduce.The reduction degree of the threshold value of concrete time period and accumulation threat value can be set according to actual conditions.A kind of method that open below threat value reduces, as shown in table 2:
| Danger classes | Degraded conditions | The threat value is reduced to |
| Dangerous assailant | Disable access within 20 hours | 34 |
| General assailant | The behavior of not causing danger in 10 hours | 18 |
| Suspicion user | The behavior of not causing danger in 2 hours | 8 |
| Domestic consumer | The behavior of not causing danger in 40 minutes | 0 |
Table 2
The table of comparisons 3 when the visitor does not cause danger behavior in the certain hour section, then reduces one-level with this visitor's danger classes as can be seen.But accumulation threat value is for reducing the maximum of back danger classes.Like this, in case new hazardous act takes place this visitor, this visitor's danger classes will be upgraded, and can guarantee higher fail safe.
Need to prove, in actual applications, can in above hazardous act standard, carry out selectivity according to the height of safety requirements and use.For example, if higher, then can adopt above-mentioned hazardous act standard simultaneously to security requirement.Like this, in case wherein any one hazardous act standard is satisfied in the visit behavior, judge that then this visit behavior is a hazardous act, thereby improved security of system.If lower, then can select two judgements of carrying out hazardous act wherein to security requirement.Certainly, in actual applications, can also select to use to above hazardous act standard according to actual conditions.As: at the access request that the responsive address of access security repeatedly occurs, then the destination address that can select Accessor Access's behavior to be visited at least is this hazardous act standard of security sensitive address.
S103, visitor's visit behavior is defendd accordingly according to visitor's accumulation threat value.
Concrete, can the visitor be divided into several danger classes according to visitor's current accumulation threat value, according to visitor's danger classes it is defendd to handle accordingly then.Open below wherein a kind of dividing condition: the current accumulation threat value according to the visitor is divided into four danger classes with the visitor, comprising: domestic consumer, suspicion user, general assailant and dangerous assailant; According to visitor's danger classes visitor's visit behavior is defendd to handle accordingly then.Certainly, it will be appreciated by persons skilled in the art that the visitor to be divided into other a plurality of danger classes that the present invention does not limit at this.
Wherein, with the corresponding defence of access level handle can have multiple, as: do not stop the visitor any visit behavior, do not stop the visitor any visit behavior but the record access person visits hazardous act and the visit of disable access person in the Preset Time section that data, the record access person of behavior visit the data of behavior and stop the visitor.Certainly, more than the defence processing need be corresponding with the visitor of different danger classes, concrete, and corresponded manner can be for multiple.In actual applications, the defence that does not stop the visit behavior can be handled corresponding to the lower visitor of danger classes, the defence of the visit of disable access person in the Preset Time section is handled corresponding to the higher visitor of danger classes.
At the corresponding relation of the hazardous act shown in the table 1 with accumulation threat value, a kind of corresponding relation that accumulates between threat value and visitor's danger classes and the defence processing of the present invention is disclosed below, as shown in table 3:
Table 3
In another embodiment of the present invention, under visitor's danger classes condition with higher (as dangerous assailant), visitor's visit behavior is defendd accordingly and can be comprised: stop this visitor's visit behavior and will return to this visitor through the blocking-up page of camouflage.Be understood that easily the higher visitor of danger classes has more intelligence and diversified attack method,, will attempt attacking intrusion prevention system in case know according to the blocking-up page that returns and oneself to be prevented from visiting.So if will return to the blocking-up page of the normal wrong page that disguises oneself as of the higher assailant of danger classes, the assailant just can not learn easily and oneself be prevented from visit, thereby more can guarantee the safety of system.Certainly, in other embodiments of the invention, the blocking-up page through camouflage can also be returned to all accumulation threats and be worth non-0 visitor, thereby security of system is improved.
A kind of web intrusion prevention method that is applied to application layer provided by the invention, can give the threat value for the visitor and the threat value of hazardous act is superposeed according to the hazardous act in Accessor Access's behavior, generate accumulation threat value, thereby can defend accordingly to handle to it according to a plurality of visit behaviors of user, solved adopt the keyword detection technique brought can't fine detection attack problem.
As shown in Figure 2, another kind provided by the invention is applied to the web intrusion prevention method of application layer, comprising:
S201, use honey jar technical modelling application layer system vulnerability;
Concrete, can simulate according to the leak of known web site contents management system CMS and BBS (Bulletin Board System) BBS.
The honey jar technology can be simulated the web station system leak, and the assailant implements corresponding the attack at the leak of these simulations easily.Discern these assailants by honey jar, rate of false alarm and rate of failing to report all are quite low, therefore tackle it and carry out comparatively strict defence.
Traditional honey jar technology is based on the agreement of bottoms such as transport layer and transport layer, the banner information when tending to forge the port that has leak or TCP/UDP and connecting (this banner information indicating have certain leak).
The present invention produces a falseness and real web leak environment to creationary being applied to of honey jar technology during web uses.
Understand for convenient, lift two examples below:
Honey jar example 1:
The present invention uses the honey jar technology to forge the backstage login page, and the path is that general routes is visited so that the assailant can smell.The false copyright information (copyright information that has the website of leak) of prompting in the login page of backstage is as DVBBS 7.3.The database default path of DVBBS 7.3 is/data/dvbbs7.mdb to allow the assailant directly to download and obtain the administrator password.After the simulation of carrying out above system vulnerability, the present invention can wait for that just the assailant visits this database, in case there is the visitor to conduct interviews, then the system for simulating leak is induced successfully.
Honey jar example 2:
The present invention can use the honey jar technology to forge following four paths: the address, backstage of forging phpmyadmin :/phpmyadmin/; Data/sql_bk.rar forges document; The row directory permission of forgery/data/ catalogue; Forgery/robot.txt content is:
It is privacy that Robot.txt generally is used to notify which catalogue of search engine, is included avoiding, and therefore also becomes the file that must test when the assailant sets foot-point.When the assailant learns catalogue/data/ from robot.txt, find that this catalogue can the row catalogue, and there is file sql_bk.rar under the catalogue, judge that from name this is a database backup file, download this document (actual) from the intrusion prevention system download, the inside has been write down the password of mysql unexpectedly, just goes trial to land to/phpmyadmin/.The present invention can this process of detail record.If these visit behaviors take place successively, then explanation is inveigled successfully.
S202, the visit behavior of obtaining the visitor;
May comprise the behavior of the system vulnerability of visit honey jar technical modelling in the visit behavior of wherein, being obtained.
S203, the default hazardous act standard of basis, judge whether described visit behavior is hazardous act, if, obtain the threat value of described visit behavior according to the corresponding relation of hazardous act that sets in advance and threat value, described threat value is added in visitor's the accumulation threat value to upgrade described accumulation threat value;
The hazardous act of the application layer system vulnerability of visiting the honey jar technical modelling and the corresponding relation of threat value will be added in the corresponding relation of hazardous act that wherein, sets in advance and threat value.Certainly, if in the former corresponding relation to comprise the corresponding relation that will add, can these corresponding relations not added yet.
S204, visitor's visit behavior is defendd accordingly according to visitor's accumulation threat value.
This step is identical with step S103, is not repeated.
Corresponding to top method embodiment, the present invention also provides a kind of web intrusion prevention system that is applied to application layer.
As shown in Figure 3, a kind of web intrusion prevention system that is applied to application layer that the embodiment of the invention provides comprises: visitbehavior acquisition module 100, threatvalue generation module 200 anddefense module 300,
Described visitbehavior acquisition module 100, the visit behavior that is used to obtain the visitor;
Described threatvalue generation module 200, be used for according to default hazardous act standard, judge whether described visit behavior is hazardous act, if, obtain the threat value of described visit behavior according to the corresponding relation of hazardous act that sets in advance and threat value, described threat value is added in visitor's the accumulation threat value to upgrade described accumulation threat value;
Wherein, Yu She hazardous act standard can behavior and dangerous visit behavior learn to obtain according to history is normally visited for system.Concrete, system can carry out analytic statistics according to a large amount of historical normal visit behavior and/or dangerous visit behavior, thereby determines the hazardous act standard.
Default hazardous act standard can comprise: it is the security sensitive address that the means that the access parameter of Accessor Access's behavior satisfies that default hazardous act access parameter requires, carry dangerous keyword in Accessor Access's behavior, Accessor Access's behavior is taked have the destination address that danger and/or Accessor Access's behavior visited.Wherein, the access parameter of Accessor Access's behavior can comprise: the time interval of the submission type of the parameter that type, the visit behavior of the parameter that the length of the parameter that the visit behavior is entrained, visit behavior are entrained is entrained and visit behavior browsing pages.
Describeddefense module 300 is used for according to visitor's accumulation threat value visitor's visit behavior being defendd accordingly.
Concrete, can the visitor be divided into several danger classes according to visitor's current accumulation threat value, according to visitor's danger classes it is defendd to handle accordingly then.Open below wherein a kind of dividing condition: the current accumulation threat value according to the visitor is divided into four danger classes with the visitor, comprising: domestic consumer, suspicion user, general assailant and dangerous assailant; According to visitor's danger classes visitor's visit behavior is defendd to handle accordingly then.Certainly, it will be appreciated by persons skilled in the art that the visitor to be divided into other a plurality of danger classes that the present invention does not limit at this.
Wherein, with the corresponding defence of access level handle can have multiple, as: do not stop the visitor any visit behavior, do not stop the visitor any visit behavior but the record access person visits hazardous act and the visit of disable access person in the Preset Time section that data, the record access person of behavior visit the data of behavior and stop the visitor.Certainly, more than the defence processing need be corresponding with the visitor of different danger classes, concrete, and corresponded manner can be for multiple.In actual applications, the defence that does not stop the visit behavior can be handled corresponding to the lower visitor of danger classes, the defence of the visit of disable access person in the Preset Time section is handled corresponding to the higher visitor of danger classes.
As shown in Figure 4, the another kind that provides in the embodiment of the invention is applied to the web intrusion prevention system of application layer, and also comprise:honey jar module 400 is used for using in advance honey jar technical modelling application layer system vulnerability.
The honey jar technology can the analogue system leak, and the assailant implements corresponding the attack at the leak of these simulations easily.The visitor who implements these attacks has higher security threat degree, tackles it and carries out comparatively strict defence.
For the convenience of describing, be divided into various unit with function when describing above the device and describe respectively.Certainly, when enforcement is of the present invention, can in same or a plurality of softwares and/or hardware, realize the function of each unit.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in the storage medium, as ROMRAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses all is difference with other embodiment.Especially, for system embodiment, because it is substantially similar in appearance to method embodiment, so describe fairly simplely, relevant part gets final product referring to the part explanation of method embodiment.System embodiment described above only is schematic, wherein said unit as the separating component explanation can or can not be physically to separate also, the parts that show as the unit can be or can not be physical locations also, promptly can be positioned at a place, perhaps also can be distributed on a plurality of network element.Can select wherein some or all of module to realize the purpose of present embodiment scheme according to the actual needs.Those of ordinary skills promptly can understand and implement under the situation of not paying creative work.
The present invention can be used in numerous general or special purpose computingasystem environment or the configuration.For example: personal computer, server computer, handheld device or portable set, plate equipment, multicomputer system, the system based on microprocessor, set top box, programmable consumer-elcetronics devices, network PC, minicom, mainframe computer, comprise distributed computing environment (DCE) of above any system or equipment or the like.
The present invention can describe in the general context of the computer executable instructions of being carried out by computer, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract, program, object, assembly, data structure or the like.Also can in distributed computing environment (DCE), put into practice the present invention, in these distributed computing environment (DCE), by by communication network connected teleprocessing equipment execute the task.In distributed computing environment (DCE), program module can be arranged in the local and remote computer-readable storage medium that comprises memory device.
The above only is the specific embodiment of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. a web intrusion prevention method that is applied to application layer is characterized in that, comprising:
Obtain visitor's visit behavior;
According to default hazardous act standard, judge whether described visit behavior is hazardous act, if, obtain the threat value of described visit behavior according to the corresponding relation of hazardous act that sets in advance and threat value, described threat value is added in visitor's the accumulation threat value to upgrade described accumulation threat value;
Accumulation threat value according to the visitor is defendd accordingly to visitor's visit behavior.
2. method according to claim 1 is characterized in that, also comprises: use honey jar technical modelling application layer system vulnerability in advance.
3. method according to claim 1 is characterized in that, when the visit behavior of visitor in the Preset Time section all was not hazardous act, described visitor's accumulation threat value reduced.
4. method according to claim 1 is characterized in that, described accumulation threat value according to the visitor is defendd accordingly to visitor's visit behavior, comprising:
Accumulation threat value according to the visitor is divided into four danger classes with the visitor, comprises domestic consumer, suspicion user, general assailant and dangerous assailant;
Danger classes according to the visitor is defendd accordingly to visitor's visit behavior.
5. method according to claim 4, it is characterized in that, danger classes the visitor is under dangerous assailant's the situation, and described visit behavior to the visitor is defendd to comprise accordingly: stop this visitor's visit behavior and will return to this visitor through the blocking-up page of camouflage.
6. method according to claim 1 is characterized in that, described default hazardous act standard is that system's basis is normally visited behavior to history and/or dangerous visit behavior learns to obtain.
7. method according to claim 1 is characterized in that, described default hazardous act standard comprises:
It is the security sensitive address that the means that the access parameter of Accessor Access's behavior satisfies that default hazardous act access parameter requires, carry dangerous keyword in Accessor Access's behavior, Accessor Access's behavior is taked have the destination address that danger and/or Accessor Access's behavior visited.
8. method according to claim 7, it is characterized in that, described access parameter comprises: the time interval of the submission type of the parameter that type, the visit behavior of the parameter that the length of the parameter that the visit behavior is entrained, visit behavior are entrained is entrained and visit behavior browsing pages.
9. a web intrusion prevention system that is applied to application layer is characterized in that, comprising: visit behavior acquisition module, threat value generation module and defense module,
Described visit behavior acquisition module, the visit behavior that is used to obtain the visitor;
Described threat value generation module, be used for according to default hazardous act standard, judge whether described visit behavior is hazardous act, if, obtain the threat value of described visit behavior according to the corresponding relation of hazardous act that sets in advance and threat value, described threat value is added in visitor's the accumulation threat value to upgrade described accumulation threat value;
Described defense module is used for according to visitor's accumulation threat value visitor's visit behavior being defendd accordingly.
10. system according to claim 9 is characterized in that, also comprises: the honey jar module is used for using in advance honey jar technical modelling application layer system vulnerability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110117191.6ACN102185858B (en) | 2011-05-06 | 2011-05-06 | Web intrusion prevention method and system based on application layer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110117191.6ACN102185858B (en) | 2011-05-06 | 2011-05-06 | Web intrusion prevention method and system based on application layer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102185858Atrue CN102185858A (en) | 2011-09-14 |
| CN102185858B CN102185858B (en) | 2014-03-19 |
Family
ID=44571928
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110117191.6AActiveCN102185858B (en) | 2011-05-06 | 2011-05-06 | Web intrusion prevention method and system based on application layer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102185858B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102880698A (en)* | 2012-09-21 | 2013-01-16 | 新浪网技术(中国)有限公司 | Method and device for determining caught website |
| CN104378361A (en)* | 2014-10-24 | 2015-02-25 | 苏州阔地网络科技有限公司 | Network intrusion detection method and system |
| CN104967628A (en)* | 2015-07-16 | 2015-10-07 | 浙江大学 | A decoy method to protect web application security |
| CN105844154A (en)* | 2016-03-19 | 2016-08-10 | 浙江大学 | Internal honeypot based malicious program detection method |
| CN105871834A (en)* | 2016-03-29 | 2016-08-17 | 杭州朗和科技有限公司 | Method and device for computing malice index |
| CN106961442A (en)* | 2017-04-20 | 2017-07-18 | 中国电子技术标准化研究院 | A kind of network method for entrapping based on honey jar |
| CN107426217A (en)* | 2017-07-27 | 2017-12-01 | 郑州云海信息技术有限公司 | A kind of method and device of detecting system invasion |
| CN110753038A (en)* | 2019-09-29 | 2020-02-04 | 武汉大学 | Self-adaptive authority control system and method for anomaly detection |
| CN110855697A (en)* | 2019-11-20 | 2020-02-28 | 国网湖南省电力有限公司 | Active defense method for network security in power industry |
| CN110881023A (en)* | 2019-03-27 | 2020-03-13 | 南京航空航天大学 | A method for providing network differentiated security services based on SDN/NFV |
| CN114095258A (en)* | 2021-11-23 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Attack defense method and device, electronic equipment and storage medium |
| US11509691B2 (en)* | 2020-05-15 | 2022-11-22 | Paypal, Inc. | Protecting from directory enumeration using honeypot pages within a network directory |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030084329A1 (en)* | 2001-10-31 | 2003-05-01 | Tarquini Richard Paul | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits |
| CN1635739A (en)* | 2003-12-26 | 2005-07-06 | 上海贝尔阿尔卡特股份有限公司 | An apparatus and method of dynamic bandwidth allocation for passive optical network |
| CN101087196A (en)* | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN101808078A (en)* | 2009-02-13 | 2010-08-18 | 北京启明星辰信息技术股份有限公司 | Intrusion defence system having active defence capability and method thereof |
- 2011
- 2011-05-06CNCN201110117191.6Apatent/CN102185858B/enactiveActive
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030084329A1 (en)* | 2001-10-31 | 2003-05-01 | Tarquini Richard Paul | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits |
| CN1635739A (en)* | 2003-12-26 | 2005-07-06 | 上海贝尔阿尔卡特股份有限公司 | An apparatus and method of dynamic bandwidth allocation for passive optical network |
| CN101087196A (en)* | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN101808078A (en)* | 2009-02-13 | 2010-08-18 | 北京启明星辰信息技术股份有限公司 | Intrusion defence system having active defence capability and method thereof |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102880698B (en)* | 2012-09-21 | 2015-08-05 | 新浪网技术(中国)有限公司 | A kind of crawl website defining method and device |
| CN102880698A (en)* | 2012-09-21 | 2013-01-16 | 新浪网技术(中国)有限公司 | Method and device for determining caught website |
| CN104378361A (en)* | 2014-10-24 | 2015-02-25 | 苏州阔地网络科技有限公司 | Network intrusion detection method and system |
| CN104967628B (en)* | 2015-07-16 | 2017-12-26 | 浙江大学 | A kind of decoy method of protection web applications safety |
| CN104967628A (en)* | 2015-07-16 | 2015-10-07 | 浙江大学 | A decoy method to protect web application security |
| CN105844154A (en)* | 2016-03-19 | 2016-08-10 | 浙江大学 | Internal honeypot based malicious program detection method |
| CN105844154B (en)* | 2016-03-19 | 2018-09-07 | 浙江大学 | A kind of rogue program detection method based on internal honey jar |
| CN105871834A (en)* | 2016-03-29 | 2016-08-17 | 杭州朗和科技有限公司 | Method and device for computing malice index |
| CN105871834B (en)* | 2016-03-29 | 2019-08-30 | 杭州朗和科技有限公司 | A kind of method and apparatus calculating malice index |
| CN106961442A (en)* | 2017-04-20 | 2017-07-18 | 中国电子技术标准化研究院 | A kind of network method for entrapping based on honey jar |
| CN107426217A (en)* | 2017-07-27 | 2017-12-01 | 郑州云海信息技术有限公司 | A kind of method and device of detecting system invasion |
| CN110881023A (en)* | 2019-03-27 | 2020-03-13 | 南京航空航天大学 | A method for providing network differentiated security services based on SDN/NFV |
| CN110753038A (en)* | 2019-09-29 | 2020-02-04 | 武汉大学 | Self-adaptive authority control system and method for anomaly detection |
| CN110855697A (en)* | 2019-11-20 | 2020-02-28 | 国网湖南省电力有限公司 | Active defense method for network security in power industry |
| US11509691B2 (en)* | 2020-05-15 | 2022-11-22 | Paypal, Inc. | Protecting from directory enumeration using honeypot pages within a network directory |
| CN114095258A (en)* | 2021-11-23 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Attack defense method and device, electronic equipment and storage medium |
| CN114095258B (en)* | 2021-11-23 | 2024-02-06 | 北京天融信网络安全技术有限公司 | Attack defense method, attack defense device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102185858B (en) | 2014-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102185858B (en) | Web intrusion prevention method and system based on application layer | |
| Kandias et al. | An insider threat prediction model | |
| US11347867B2 (en) | Methods and apparatuses to evaluate cyber security risk by establishing a probability of a cyber-attack being successful | |
| Slayton | What is the cyber offense-defense balance? Conceptions, causes, and assessment | |
| Nguyen | Navigating jus ad bellum in the age of cyber warfare | |
| Rowe et al. | Defending cyberspace with fake honeypots | |
| US20140165195A1 (en) | Method and system for thwarting insider attacks through informational network analysis | |
| Rassam et al. | Big Data Analytics Adoption for Cybersecurity: A Review of Current Solutions, Requirements, Challenges and Trends. | |
| CN102567546B (en) | Structured query language (SQL) injection detection method and SQL injection detection device | |
| CN110620696A (en) | Grading method and device for enterprise network security situation awareness | |
| Zhou et al. | The hidden risks of large reasoning models: A safety assessment of r1 | |
| Fagade et al. | System dynamics approach to malicious insider cyber-threat modelling and analysis | |
| Hui et al. | Securing digital assets | |
| Akers et al. | Organizational response to APT attacks: computational analysis by behavioral network modelling | |
| Holt et al. | Assessing nation‐state‐sponsored cyberattacks using aspects of Situational Crime Prevention | |
| Eom et al. | A framework of defense system for prevention of insider's malicious behaviors | |
| Harrison et al. | A taxonomy of cyber events affecting communities | |
| CN113055362B (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
| Ro et al. | Detection Method for Distributed Web‐Crawlers: A Long‐Tail Threshold Model | |
| Lasisi et al. | Exploration of AI-enabled contents for undergraduate cyber security programs | |
| Kim et al. | Guide to developing case-based attack scenarios and establishing defense strategies for cybersecurity exercise in ICS environment | |
| Nixon et al. | Framing the human dimension in cybersecurity | |
| US20230044470A1 (en) | Systems and Methods for Detecting Novel Behaviors Using Model Sharing | |
| Maathuis et al. | The Role of AI in Military Cyber Security: Data Insights and Evaluation Methods | |
| CN113542204B (en) | Protection rule generation method and device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |